ssh


Ubuntu: install / start/stop enable/disable ssh server

OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for remotely controlling, or transferring files between, computers.

Install SSH server

To install the openssh-server on an Ubuntu, you need execute the following command as root or using sudo:

apt-get install openssh-server -y;

Disable SSH server

To disable the ssh service, execute the following command as root or using sudo:

systemctl disable ssh;

Enable SSH server

To enable the ssh service, execute the following command as root or using sudo:

systemctl enable ssh;

Stop SSH server

To stop (or deactivate) the ssh service, execute the following command as root or using sudo:

systemctl stop ssh;

Start SSH server

To start (or activate) the ssh service, execute the following command as root or using sudo:

systemctl start ssh;

Status of SSH server

To check the status of the ssh service, execute the following command as root or using sudo:

systemctl status ssh;

CONCEPTS

In a nutshell:

  • enabled is a service that is configured to start when the system boots
  • disabled is a service that is configured to not start when the system boots
  • active is a service that is currently running
  • inactive is a service that is currently stopped and may be disabled, but it can be started and become active

In much more detail:

systemd provides a dependency system between various entities called “units” of 12 different types. Units encapsulate various objects that are relevant for system boot-up and maintenance. The majority of units are configured in unit configuration files, whose syntax and basic set of options is described in systemd.unit(5), however some are created automatically from other configuration, dynamically from system state or programmatically at runtime. Units may be “active” (meaning started, bound, plugged in, …, depending on the unit type, see below), or “inactive” (meaning stopped, unbound, unplugged, …), as well as in the process of being activated or deactivated, i.e. between the two states (these states are called “activating”, “deactivating”). A special “failed” state is available as well, which is very similar to “inactive” and is entered when the service failed in some way (process returned error code on exit, or crashed, or an operation timed out). If this state is entered, the cause will be logged, for later reference. Note that the various unit types may have a number of additional substates, which are mapped to the five generalized unit states described here.
— From man systemd

 


Ubuntu SSHD listen to multiple ports

Recently, we’ve setup an Ubuntu server behind CloudFlare that needed to listen for SSH connections.
Unfortunately, CloudFlare does not allow connections to the default SSH port which is 22.
So, to achieve what it was needed we either had to change the port that the SSH service was listening to or add an additional port.
We decided to go with the option of listening to multiple ports for SSH connections, this way users that were also behind the CloudFlare CDN could still continue to use their SSH clients without being forced to define the connection port manually.

The port listening setting is available in /etc/ssh/sshd_config, using sudo we edited the file with a text editor and searched for the following lines:

# What ports, IPs and protocols we listen for
Port 22

Right after the line that contains Port 22, we added another line for the new port (to see the list of all available open ports on CloudFlare, check this post)

And the file became as follows:

# What ports, IPs and protocols we listen for
Port 22
Port 2053

Afterwards, we restarted the SSHD service to apply the changes by executing the following command by using sudo:

systemctl restart ssh;


CloudFlare does not allow port 22 (usual SSH port) on domain 2

When you try to connect via ssh on a domain for which you are using CloudFlare as a HTTP proxy, you will get the following error:

$ ssh [email protected]
 ssh_exchange_identification: Connection closed by remote host

You have a few options to resolve for this issue:

  1. Either connect directly to the IP of the machine.
  2. Or, setup a CNAME record with no HTTP proxy for the SSH (so that you do not need to remember the IP).
    This solution does not offer any additional benefits than connecting directly to the IP of the server.
    To do that, you need to visit the configure DNS page for your site: e.g. https://www.cloudflare.com/a/dns/example.com,
    then create the CNAME named ssh, use as target your domain (e.g. example.com) and disable HTTP proxy by clicking on the orange cloud and making it gray before pressing the Add Record button.

    Then, you will be able to connect via ssh [email protected].
  3. Last solution but not least is configuring your server to listen for SSH on one of the ports of CloudFlare that are open.
    When this post was written, the following ports were available/open for any site in CloudFlare:
    For requests made via HTTP:

    80
    8080
    8880
    2052
    2082
    2086
    2095

    For requests made via HTTPS:

    443
    2053
    2083
    2087
    2096
    8443

    At the time, we were using an Ubuntu GNU/Linux server, to instruct Ubuntu SSHD to listen to multiple ports we edited the file /etc/ssh/sshd_config and right after the lines:

    # What ports, IPs and protocols we listen for
    Port 22

    we added another line with the new port we wanted to use:

    # What ports, IPs and protocols we listen for
    Port 22
    Port 2053

    After restarting the service
    service ssh restart;
    we were able to connect to our page as follows:
    ssh -p 2053 [email protected];

 


How to process tcpdump live data stream from a remote machine on a local WireShark

Recently we needed to process the results of a tcpdump command using the GUI version of WireShark on machine that did not have a window manager installed. That device was an embedded device, for which it did not make sense to even consider installing a window manager on it. So, in order to process the results of the tcpdump command we decided to use another machine that had a full working window manager installed and was able to operate the GUI version of WireShark.

For our solution to work some requirements were expected to be met by the embedded device (a.k.a. remote machine).

  1. tcpdump was installed on the remote machine
  2. ssh server was installed on the remote machine and allowed us to connect to it remotely
  3. there was a user that had remote ssh rights on the remote machine that also had the rights to execute tcpdump on the needed interfaces

Synopsis of our solution:

Just execute the following on the machine with the GUI (a.k.a. local machine)

mkfifo /tmp/board;
wireshark -k -i /tmp/board &
ssh [email protected] "tcpdump -s 0 -U -n -w - -i lo not port 22" > /tmp/board;

Explanation of our solution:

Following are the steps that we performed on the local machine to pipe the results of tcpdump on the remote machine on the wireshark on the local machine.

  1. First we created a named pipe as follows:
    mkfifo /tmp/board;
    You can name your pipe anyway you like and place it in any folder you wish. We used /tmp as our pipe is a temporary construct that we do not care to preserve across time/restarts.
  2. Then we started wireshark from a terminal so that we could pass as capture interface the named pipe we just created using the -i /tmp/board parameter. The -k parameter instructs wireshark to start the capture session immediately.
    wireshark -k -i /tmp/board &
    Since this operation was going to execute for a long time, we sent it to the background to release the terminal for further use by placing the & symbol at the end of the command.
  3. Finally, we started tcpdump over ssh on a board and redirected its output to our named pipe.
    ssh [email protected] "tcpdump -s 0 -U -n -w - -i lo not port 22" > /tmp/board;
    The parameters we used on tcpdump have the following effects:
    -s 0 instructs tcpdump to set the snapshot length of data from each packet to the default value of 262144 bytes.
    -U Since the -w option is not specified, make the printed packet output packet-buffered. Which means that it will print the description of the contents of each packet without waiting for the output buffer to get full.
    -n Does not convert host addresses to names. This can be used to avoid DNS lookups.
    -w - Write the raw packets to Standard Output rather than parsing them.
    -i lo Defines which interface to listen on. We wanted the loopback interface to listen to everything.
    not port 22 Since we used ssh to start this command, we do not want to listen to the data that we produce as well and flood the inputs.

 


CentOS 6: install / start and stop / enable and disable ssh server

Install

To install the openssh-server, you need to install the openssh-server package:

sudo yum install -y openssh-server;

Start

To start the sshd daemon (openssh-server) in the current session:

sudo service sshd start;

Stop

To stop the active (if any) sshd daemon in the current session:

sudo service sshd stop;

Enable

To configure the sshd daemon to start automatically at boot time:

sudo chkconfig sshd --add;
sudo chkconfig sshd on --level 2,3,4,5;

Disable

To configure the sshd daemon to stop automatic initialization at boot time:

sudo chkconfig sshd off;
sudo chkconfig sshd --del;

How to instruct SSH use only my password and ignore my (rsa) key

Recently, we wanted to connect to a machine via SSH without using the default RSA key that was available in the client’s profile (~/.ssh/id_rsa).

We needed to avoid using the public key authentication method for two reasons:

  1. The client did not want to share the passphrase with us
  2. We did not want to move the key, not even temporarily

So, to connect via SSH while ignoring the key completely we connected using the following command

ssh -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no [email protected];

Explanation of parameters:

  • -o Was used to give options in the format used in the configuration file (/etc/ssh/ssh_config). It is useful for specifying options for which there is no separate command-line flag available.
  • -o PreferredAuthentications can be used to change the default order of authentication and bypass the GSSAPI-based authentication, the host-based authentication, the public key authentication and the challenge-response authentication.
    -o PreferredAuthentications=keyboard-interactive,password instructs the server to perform the authentication through the keyboard-interactive method and if that method is not available to use the password method.
    The keyboard-interactive authentication method is a request for all different pieces of information needed for the authentication. The server can specify, which inputs need to be hidden when user types them and which are not.
    The password authentication is a request for a single password. There is no configuration sent by the server. So the client decides how to format the prompt.
  • -o PubkeyAuthentication=no Specifies whether to try public key authentication. By setting the value to no it disables it.

Using aliases for SSH

An extremely helpful feature of ssh is the ability to define aliases using its configuration files:

  • ~/.ssh/config
  • /etc/ssh/ssh_config

~/.ssh/config contains configuration that is only available to your user and any user can create one for themselves.
/etc/ssh/ssh_config contains configuration that applies to all users of the system and only administrators can modify it.

Note: ~/.ssh/config should only have read and write access rights by its owner only!
Be sure to execute the following after your create it:

chmod 600 ~/.ssh/config;

Example 1 – Creating an alias for a host name:

Assuming we are too bored to type the full domain of a server, we can define a shorter name as follows:

Host bf
    HostName bytefreaks.net

by having this configuration lines in your ~/.ssh/config file, you can shorten the command ssh bytefreaks.net; to ssh bf;.

Example 2 – Creating an alias for a host name with specific username:

In the next example, we create a new alias that not only will automatically set the host name but also the username

Host bf
    HostName bytefreaks.net
    User george

by having this configuration lines in your ~/.ssh/config file, you shorten the command ssh [email protected]; to ssh bf;.

Example 3 – Creating an alias for a host name with specific username and port:

In the next example, we create a new alias for a specific host name, username and ssh port number

Host bf
    HostName bytefreaks.net
    User george
    Port 22300

The above will shorten ssh [email protected] -p 22300 to ssh bf;.

Example 4 – Creating an alias for a host name with specific username and identity file:

Host bf
    HostName bytefreaks.net
    User george
    IdentityFile /path/to/needed/private/key/id_rsa

The above will shorten ssh [email protected] -i /path/to/needed/private/key/id_rsa; to ssh bf;

For more information on the capabilities of the configuration files, please review the following documentation page as it has a whole lot more of useful information: http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/ssh_config.5

Repeated note: ~/.ssh/config should only have read and write access rights by its owner only!
Be sure to execute the following after your create it:

chmod 600 ~/.ssh/config;

Fedora 25: install / start / enable ssh server

Install

To install the openssh-server, you need to install the openssh-server package:

sudo dnf install -y openssh-server;

Start

To start the sshd daemon (openssh-server) in the current session:

sudo systemctl start sshd.service;

Stop

To stop the active (if any) sshd daemon in the current session:

sudo systemctl stop sshd.service;

Enable

To configure the sshd daemon to start automatically at boot time:

sudo systemctl enable sshd.service;

You will get an output similar to this:

ln -s '/usr/lib/systemd/system/sshd.service' '/etc/systemd/system/multi-user.target.wants/sshd.service'

Disable

To configure the sshd daemon to stop automatic initialization at boot time:

sudo systemctl disable sshd.service;

[GitLab.com] Clone all repositories in your account

GitLab.com offers a public API that allows us to get information related to our accounts. One of the API calls available is the account projects call (http://gitlab.com/api/v3/projects).

This call will return a JSON object describing the projects available to your account.

To clone all of the projects available to you, you can use the following:

TOKEN="PASTE_YOUR_PRIVATE_TOKEN_HERE"; PREFIX="ssh_url_to_repo"; curl --header "PRIVATE-TOKEN: $TOKEN" http://gitlab.com/api/v3/projects | grep -o "\"$PREFIX\":[^ ,]\+" | awk -F ':' '{printf "ssh://"; for (i=2; i<NF; i++) printf $i "/"; print $NF}' | xargs -L1 git clone

The above code will bring the JSON object, filter out everything except for the “ssh_url_to_repo” member of each project and then it will use it to clone the project by fixing up the URL to be used by git.

To get the above code working: the GitLab API requires that you use a token that is related to your account instead of using your credentials to make the call to the API.

To get your private token, visit this page http://gitlab.com/profile/account , the private token is the random sequence of characters in the white box:

[GitLab.com] Private TokenYou need to copy that value in the place of the variable TOKEN in the above script.

In case you have a lot of projects (more than 10), the default call will only produce the results for the first 10 repositories only.

To list all available repositories you have two options:

  1.  Set the per_page query parameter to a value big enough to fetch all your projects information if they are less than 100. e.g http://gitlab.com/api/v3/projects?per_page=100
  2. Follow the link headers from the initial response to make all the next calls.

[BitBucket.org] Clone all repositories of your account 2

Clone all bitbucket projects

 BBA=MyUserName; curl --user ${BBA} https://api.bitbucket.org/2.0/repositories/${BBA} | grep -o '"ssh:[^ ,]\+' | xargs -L1 git clone 

The above curl call will connect to the server using your username and return the list of repositories that are available to your account.

Please note that you need to provide you username NOT your email.
If you make these calls using the email that was used to register the account, then the call will fail.

After the call succeeds, the results will be filtered and each repository will be cloned to the current folder.
In case your ssh key is locked via a password, each time a clone operation will start, you will be asked for the password.

Example:

BBA="bytefreaks"; curl --user ${BBA} https://api.bitbucket.org/2.0/repositories/${BBA} | grep -o '"ssh:[^ ,]\+' | xargs -L1 git clone
Enter host password for user 'bytefreaks':
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3834  100  3834    0     0   4414      0 --:--:-- --:--:-- --:--:--  4411
Cloning into 'bluetoothclicker'...
Warning: Permanently added the RSA host key for IP address '104.192.143.1' to the list of known hosts.
Enter passphrase for key '/home/bytefreaks/.ssh/BitBucket/id_rsa': 
warning: You appear to have cloned an empty repository.
Checking connectivity... done.
Cloning into 'watch'...
Enter passphrase for key '/home/bytefreaks/.ssh/BitBucket/id_rsa': 
warning: You appear to have cloned an empty repository.
Checking connectivity... done.

List all bitbucket projects

In case what you want is just to list your repositories, execute the following:

 curl --user ${BBA} https://api.bitbucket.org/2.0/repositories/${BBA} | grep -o '"ssh:[^ ,]\+' | xargs -L1 echo 

Usage instructions: set your username to the BBA variable and execute.

BBA="bytefreaks"; curl --user ${BBA} https://api.bitbucket.org/2.0/repositories/${BBA} | grep -o '"ssh:[^ ,]\+' | xargs -L1 echo
Enter host password for user 'bytefreaks':
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3834  100  3834    0     0   3543      0  0:00:01  0:00:01 --:--:--  3546
ssh://[email protected]/bytefreaks/bluetoothclicker.git
ssh://[email protected]/bytefreaks/watch.git